5 minutes with... Jean-François TYRODE

May 24. 2024  Meet Jean-François TYRODE, a senior cybersecurity consultant in the Cyber Defense activity of Thales (150 cyber consultants in France) who has been supporting Air Navigation Service Providers (ANSPs) since 2017. Holder of several cyber certifications such as ISO 27001 complemented by aviation certifications (EUROCONTROL, IATA), he is sharing with us how he enjoys accompanying ANSPs in their cyber risk assessment challenges.

What is your background?

I have been working for Thales in various cyber-related roles for 20 years. For the first ten years, I was project director for the development of security and dematerialisation solutions.

But after a few years on the job, I noticed that in many of the projects I was working on, there were quite a few legal challenges that needed to be addressed in the cyber security domain. I have an IT engineering diploma and I wanted to get a double competency, technical and law. I decided to take one year off to study law in Information Technology (IT) with a specialized Master at Paris-Sorbonne University (in which I was later able to teach one cyber security module) to develop the expertise that would allow me to fully understand and tackle new Thales challenges.

When I returned to Thales, I wanted to use these new skills, so I moved into Thales Cyber Defense domain, to become a cyber consultant. Today, I am Mission Director in the Cyber Consulting Department, and my primary focus is on performing risk analysis and cyber assessment in the Air Traffic Management (ATM) environment.

 

What do you think is Thales’ key added value for cyber security in ATM?

In my organisation, we have a team of 150 experts dedicated to cybersecurity consulting. We have been working for almost a decade for Air Traffic Management. It all started with a cyber risk assessment for an Air Navigations Services Provider in Europe.

The experience of pairing ATM and cyber security expertise in one project was so positive (after the initial assessment, the customer asked us to continue supporting their efforts to protect their centre effectively) that we realised it was something we could offer to all our customers.

Our key added value is the fact that we can offer this double expertise so that our customers know that they are getting the best of ATM knowledge combined with the best of cyber security savoir-faire. This way, each solution is uniquely tailor-made to specific ATM-related cyber risks.

 

Speaking of which, what are the main challenges in ensuring cyber security in ATM?

I see two main challenges in relation to ensuring cyber security in ATM.

First, ATM systems are extremely complex. Made of multiple subsystems interconnected both internally (ATC centres, control towers, navigation systems, aircraft, etc.) and externally (Internet for weather services, SATCOM for communication, civil and military systems) and carrying significant quantities of data and information, ATM systems present a significant surface for attack. The fact that many of these centres rely on several suppliers, who also need to connect to the systems, also adds to the systems’ vulnerabilities.

The key challenge here is to have an in-depth understanding of how these systems work and interconnect and carry out an extensive risk analysis to identify where and what specific cybersecurity measures should be taken.

Second, the regulatory framework for cyber security in the ATM world has evolved over the past few years and is becoming increasingly complex. From ICAO’s Annex 17 and European Union Regulation 2019/1583 transposing ICAO’s cyber security standards to EASA’s PART-IS regulation, which was adopted in 2022 and which will be applicable for Air Navigation Services systems in February 2026, customers now need to take several steps to ensure that they are fully compliant.

With so much going on, depending on customers’ levels of maturity in cyber security, it can become difficult to know what needs to be applied when, where, and to what extent. Our experience has taught us that it is often important for many potential customers to have cyber and ATM experts by their side, guiding them through this regulatory maze.

 

Why is Thales uniquely positioned to address these challenges?

We have a two-step approach when working for ANSP to conduct cybersecurity maturity audits. First, we carry out an organisational audit, which allows us to get a sense of the different processes and procedures in place and the extent to which customers are prepared to deal with potential cybersecurity vulnerabilities and accidents. Then, we can offer technical audits, for example executing several penetration tests, network traffic analyses, etc., to identify possible vulnerabilities.

What is important for our customers is to understand that we are here to support them every step of the way, whatever their maturity level. We have the tools (we developed a comprehensive questionnaire featuring all the questions from the different regulations to guide us through our auditing processes), the teams, the expertise and the knowledge to do so. I, for instance, hold several certifications, including ISO 27001 Lead Implementer, EBIOS Risk Manager, EUROCONTROL/Cyber, and IATA/Cyber, which allow me to implement information security standards and frameworks.

 

What do you enjoy about your work at Thales?

One of this job's most interesting aspects is the variety of customers we encounter. Working across cultures and with different levels of cyber security maturity, no two projects are the same. This extensive, varied experience also allows us all to grow as experts in our field and across cyber and ATM, learning from all the projects and carrying that experience into the next one.

Tags:

#betterskiestogether #BST #cybersecurity

© THALES 2023 ALL RIGHTS RESERVED.